Rash of Data Breaches Strikes California Healthcare Companies

Reporter

California healthcare companies have reported a rash of data breaches, exposing information that included the medical conditions and treatments of patients.

The state’s hospitals, medical vendors and health insurers have reported at least eight breaches of customer data since the start of the year, according to records maintained by the state’s attorney general. It’s not known if that number is rising, as the state only began tracking data breaches last year. But many of the cases showed providers failed to take basic precautions to protect patient data, like encrypting health information stored on hardware. For example, in several cases patient records were stolen when healthcare workers left unencrypted laptops, containing patient data, in cars.

The cases suggest that as healthcare companies push through technology reform, security protections aren’t always keeping pace. “It’s an adjustment phase, [the industry] still has a good five years to get to the point where we fully reap the benefits of going electronic,” said Darren McLachlan, vice president of IT at SynerMed Inc., a healthcare technology vendor. “I think security is going to get much better but there will still be that risk.”

Mr. McLachlan’s company has had to learn some security lessons the hard way. SynerMed reported last week that thieves stole a laptop containing records of emergency room visits from a worker’s car, where it was left overnight, potentially exposing the records of 3,100 patients. Mr. McLachlan said because employees are not supposed to store patient data on local hard drives, it did not have a policy to encrypt laptops.

Mr. McLachlan says the machine’s password protection is not enough to ensure criminals did not access patient health information. “It’s going to take a more sophisticated criminal, but the risk was there,” Mr. McLachlan. “That’s why we’re going through the whole notification process.”

While SynerMed says it will now encrypt its laptops, many other companies leave data unsecured Walgreen Co.’s Crescent Healthcare Inc. reported in February that burglars who stole desktop computer hardware from its Anaheim billing center may have gained access to “medical information, including diagnosis.”

In another case in January, at the Palo Alto-based Lucile Packard Children’s Hospital, a password protected, but unencrypted laptop was stolen from a doctor’s car. The computer contained “limited information relating to care provided” to children at the hospital.

Patient records from California’s Sutter Health hospital system may have fallen into the hands of criminals. Names, birthdates and social security numbers of 4,500 patients were discovered by police during a drug bust, the Sacramento Business Journal reported yesterday. Sutter spokeswoman Stacey Wells would not comment on whether the information was found in electronic or paper form. “We are part of an ongoing investigation and can’t discuss this detail,” Ms. Wells said. But Ms. Wells noted all of the organizations computers were encrypted six months ago.

The encryption directive came after an earlier breach in 2011, when theft of an unencrypted Sutter computer exposed data of more than 4 million patients. Sutter faces a class action suit over the security lapse, which Ms. Wells says is unrelated to the current breach.

The state’s attorney general office says it’s unclear whether healthcare providers are experiencing a spike in data breaches, as hospitals roll out electronic medical records. Tougher reporting requirements, which began in 2012, might also have brought more incidents to light.

Either way, Luis Taveras, CIO of Hartford HealthCare in Hartford, Conn., says ensuring that devices are encrypted will reduce the the breaches. Mr. Taveras says numerous computers, potentially containing patient data, have been stolen from his organization. “But the key is that they have been non events because every one of those machines are encrypted,” making the data within unreadable, Mr. Taveras said.

Mr. Taveras says the healthcare industry is still going through a “maturity process” in establishing norms around IT security. “The silver lining in these cases is they make us more aware,” Mr. Taveras said. “And we have to be. The patients demand it and it’s our responsibility.”

Comments (5 of 8)

While stolen laptops can cause issues, by far the biggest targets for cyber attackers are servers and privileged user accounts. Perimeter security is clearly failing and now that the bad guys are inside the networks, the best way to protect what matters (sensitive patient data, etc.) is through a combination of encryption and key management. Healthcare providers are definitely starting to take action, but typically AFTER they have suffered a breach or two. If I were writing a prescription for the healthcare industry, it would be to establishing security best practices that center on protecting sensitive data as close to the source as possible.

11:05 am June 14, 2013

Guardian Data Destruction wrote:

What about archived patient data which is simply stored in a closet, warehoused or boxed up at an IT data center?

Upfront protection from cyber theft is a priority, yet while the front door is locked, no one is watching the garage.

9:22 pm June 13, 2013

Asaf Cidon wrote:

Hardware encryption is not an effective way to prevent these HIPAA data breaches. Hardware encryption solutions are typically expensive and clunky, and cannot be applied to most smartphones or tablets. In addition, it's really hard to enforce hardware encryption when doctors start bringing their own devices to work.

In this second article in a two-part series, Sonny Garg, senior vice president and chief information and innovation officer at Exelon Corp., the $27.4 billion competitive energy provider based in Chicago, describes the structure and inner workings of his emerging technologies team.